An overview of DoS and Ways to Detect and Prevent DDoS Attack.

By | August 30, 2009

DoS is an abbreviation of Denial of Service attack. It is a type of attack on a network which is developed to flood the network with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For almost every attack that is known, there are software fixes available, which the system administrators can install to limit the damage caused by the attacks. Just like viruses, newer DoS attacks are being developed by hackers.With this attack usually there is a loss of service to users, more often there is a loss of network connectivity and services due to such attacks.Hackers can direct such attacks to any network device which includes routers,DNS (Domain Name Servers) etc.

DDoS Attack

There are few ways to identify a DoS attack.Below are four basic types that can help you to realize about the DoS attack.

a) You may realize that the server consumption has largely increased or there is a system overload. You may also notice an overload of network resources viz. CPU,bandwidth and disk space.
b) In the case of an attack there is a disruption seen in the configuration information such as routing info.
c) Sometimes there can also be a disruption of physical network components.
d) There can be a disruption of normal operating system functionality by exploiting any of a software vulnerability.

In such attacks the attackers try to flood the network with unsolicitated packets, which prevents the legitimate traffic, this is the most common type of an attack.This type of attack disrupts the network connectivity with the use of multiple hosts in a Distributed Denial of Service, also referred as DDoS.Apart from the randon traffic specifically two of the sophisticated ways of attack are:

a) An SYN flood.In this bogus SYN requests to a service ususally HTTP, causes a server to overload by spawning half open connections.
b) An Smurf Attack.In this the ICMP requests are sent to a broadcast address of misconfigured networks with a false source IP address set to one of the target.

Distributed Denial of Service Attacks

In distributed denial of service attacks, usually a personal computer that is connected to a broadband Internet network which have been compromised by viruses or programs such as Trojan Horse. With this one can control the machines remotely and direct the attack.This type of array of computers is known as a botnet.With this no matter how well the websites are connected,can be disrupted.

TCP Connections
The TCP connections usually requires the exchange of three Internet packets between two machines in an interchange called as the TCP Three Way Hand Shake.Below is the working of this:

a) SYN: In this a TCP client (ftp client,web browser etc.) initiates a connection with TCP server by forwarding a SYN packet to the server.
b) SYN/ACK: When a connection requests SYN packet is received at an OPEN TCP service port, the server’s operating system sends a reply with a connection acceptance SYN/ACK packet.
c) ACK: When the client receives the servers acknowledging SYN/ACK packet for the pending connection,it replies with an ACK packet.

Abuse TCP: Traditional SYN Flood

In this a servers receipt of a clients SYN packet causes the server to prepare for a connection.Memory buffers are usually allocated for sending and receiving the connection data.It records the various details of the clients connection which includes their remote IP and connection port number.In this way the server is prepared to accept the clients final connection opening ACK packet.Incase the clients ACK packet fails to arrive, the server is capable of re-sending its SYN/ACK packet assuming that they might have got lost of dropped in between.

As the technology to avoid such attacks increased,so did the hackers made improvements. With the use of Raw Sockets the packets return address ie. the source IP address can be overridden and falsified. When a SYN packet with a spoofed source IP arrives at the server, it appears as any other valid legal connection and hence the server allocates the required memory buffers and records information about the new connection.Further it sends out SYN/ACK answering packet back to the client. But as the source IP contained in the SYN packet was deliberately falsified,the SYN/ACK will be sent to a random IP address over the Internet. The biggest problem is that there are over four billion internet addresses and the server does not have a way to know that the malicious client connection was fake.Therefore every request is treated similar to a valid connection request.It needs to wait until the client completes the Three Way Handshake.If the ACK is not received the server needs to resend the SYN/ACK with an assumption that it might have been lost during the path.

This indicates the connection management consumes valuable limited resources of the server. In the meanwhile the attacking TCP client continues shooting out fraudulent SYN packets at the server, which forces it to accumulate a continuously growing pool of incomplete connections.There comes a point when the server is unable to accommodate any further half open connections and though a connection is valid, gets failed. This is due to the limited ability to accept any connections might have been consumed maliciously.

What is the difference between DoS and DDoS?

DoS is a traditional way of attack.In this a machine (may be a personal computer) attacks the other. Whereas DDoS is a bit higher and a destructive version of DoS. In this floods of traffic is generated by focusing the combined bandwidth of multiple machines onto a single target machine or a network.

Steps to Identify and STOP DDoS attack.

You can check the current http usage by firing the command

================
top -d2
================

Incase you get lots of httpd processes, then you need to check if it is a DoS attack and the server is flooded with SYN packets. You can check this by the following command.

================================
netstat -nap | grep SYN | wc -l
================================

Incase you get abnormal numbers then your server is under attack.

You can check the IPs from which the SYN packets are coming. In this case you will have to use the following command:

================================
netstat -nap | less
================================

You will get all the details of kernel routing table also the IPs from where the packets are coming. If it is coming from any particular IP, then you can simply block that IP on the server. Or if its from one network then you will have to block the range of IPs.
If there are multiple IPs which are attacking then you will have to find which site is under attack.
To check this go to /usr/local/apache/domlogs/

Check how stat’s date is defined. Then run the command “date”. Check the current time of the server. Then you have to check which site was under attack few mins ago. Suppose current time is Aug 30 00:04:48, then run the command

================================
grep “30/Aug/2009:00:01” *
================================

It will show you the list of sites accessed at that time. If you see any particular site is being accessed multiple times, then the site is under attack. You can chnage the time to check if different sites are under attack. You can suspend that site to prevent the server from overloading.

Many times the attack hits a particular IP and all the sites having that IP get attacked. All you have to do is change the IP of those sites and then null-route that IP.